[PUP-6413] Pip provider fails when using ensure => latest - Puppet Tickets

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Normal
Resolution: Fixed
Affects Version/s: PUP 3.8.7, PUP 4.5.2
Fix Version/s: PUP 3.8.8, PUP 4.6.0
Component/s: None
Labels:
None

Story Points:
0
Sprint:
Client 2016-06-29, Client 2016-08-10

CS Priority:
Reviewed

Release Notes:
Bug Fix
Release Notes Summary:
Puppet now correctly connects to Pypi when managing packages with pip

Description

Pypi changed behaviour today because of vulnerabilities in urrlib, which
is used by pip.

http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html

Pypi changed to denying http requests entirely instead of redirecting to
https. (I guess? I don't really understand)

Without this patch:

root@derpderp:~# cat foo.pp
package

{ 'diskimage-builder': ensure => latest, provider => pip, }

root@derpderp:~# puppet apply foo.pp
Warning: Setting templatedir is deprecated. See http://links.puppetlabs.com/env-settings-deprecations
(at /usr/lib/ruby/vendor_ruby/puppet/settings.rb:1139:in `issue_deprecation_warning')
Notice: Compiled catalog for derpderp in environment production in 0.14 seconds
Error: Could not get latest version: HTTP-Error: 403 Must access using HTTPS instead of HTTP
Error: /Stage[main]/Main/Package[diskimage-builder]/ensure: change from 1.17.0 to latest failed: Could not get latest version: HTTP-Error: 403 Must access using HTTPS instead of HTTP
Notice: Finished catalog run in 0.67 seconds

So this breaks any puppet 3.x using the default pip provider.

With this patch, it just works.

Attachments

Issue Links

is duplicated by

PUP-6444 Python PIP provider version => latest stopped working for everyone pre-4.5.2

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Spencer Krum

Votes:: 3 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 2016/06/15 3:06 PM

Updated:: 2016/08/11 9:58 AM

Resolved:: 2016/08/10 9:09 AM